[ale] Validating email addresses

Michael H. Warfield mhw at WittsEnd.com
Wed Aug 30 19:10:19 EDT 2006


On Wed, 2006-08-30 at 18:00 -0400, Christopher Fowler wrote:
> Is there a way other than communicating with a remote SMTP server to
> validate an address?  Here is an example:

> [cfowler at shuttle ~]$ telnet mx00-dom.earthlink.net 25
> Trying 207.217.125.16...
> Connected to mx00-dom.earthlink.net (207.217.125.16).
> Escape character is '^]'.
> 220 meadowlark.mail.pas.earthlink.net EL___ ESMTP EarthLink Mail Service
> Wed, 30 Aug 2006 14:58:42 -0700 (PDT)
> helo outpostsentinel.com
> 250 meadowlark.mail.pas.earthlink.net Hello outpostsentinel.com
> [66.23.224.81], please to meet you
> mail from:<cfowler at outpostsentinel.com>
> 250 <cfowler at outpostsentinel.com>... Sender ok
> rcpt to:<0123456789 at outpostsentinel.com>
> 250 <0123456789 at outpostsentinel.com>... Recipient ok
> vrfy
> 502 Command unrecognized "vrfy"
> quit
> 221 meadowlark.mail.pas.earthlink.net closing connection

	AS A SECURITY RULE...  EXPN and VRFY must be disabled.

	Think about this...  Someone, unauthenticated, can come in and verify
if an E-Mail address is accepted and legitimate at your site?  No...  If
you find a way to verify accounts at a site from an unauthenticated
client, this is a security hole.

> I'm the "catch all" for that domain.

	This is a bit of the MX problem where you accept all E-Mail for a
domain but you don't host those accounts.  There are ways to deal with
this, such as ldap, and pop3/imap.  I'm in the same boat for several
domains I'm the MX for.  It's definitely a problem...

> I'm in the process of writing a program that will verify all email
> addresses stored in a database.  The problem is that when I use the 
> "0123456789@<domain>" email address _many_ of the servers are
> responding with a '250' even though no address like that exists.

	Your best shot is ldap (even if you set up a slave ldap server for
those domains).  Otherwise, you're subject to the whims of network
connectivity.

> Is there another way to verify?

	Several...  But you have to have access one way or the other.  Either
you can connect to them to verify or they can connect to you to update
your database,

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list